3

I want to convert http request to https for my website. I have already taken SSL Certificate but there may be chance of bypass my Application's enabled encryption and after having certificate my application is not able to prevent accessing over unsecure connection

Jozef Chocholacek
  • 2,874
  • 2
  • 20
  • 25
Rakesh Bhagat
  • 397
  • 2
  • 5
  • 22

3 Answers3

5

Unfortunately there is no easy way to enable this in weblogic (easy in form of a simple checkbox).

Your best option is probably to add your own filter to add the HSTS header. Have a look at this answer on how to do that: https://stackoverflow.com/a/30455120/1391209

Here the relevant answer text for easier reference (and in case that answer gets deleted):

You can add it using a filter. Add the following snippet to web.xml:

<filter>
    <filter-name>HSTSFilter</filter-name>
    <filter-class>security.HSTSFilter</filter-class>
</filter>

And then create a filter in your webapp:

package security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class HSTSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;

        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");

        chain.doFilter(req, resp);
    }
}
Community
  • 1
  • 1
Slettal
  • 1,007
  • 13
  • 19
  • Excuse me. Is it really just need to put those snippet on `web.xml` and create filter class? I see the reference question(question part) also do redirection on the jsp. Is this a must? – Yeung May 02 '17 at 09:51
  • 2
    @Yeung It's really just that. It also works with other technologies like jsf (not only jsp), as long as the request goes through the servlet engine. You can read more about it here: http://www.oracle.com/technetwork/java/filters-137243.html – Slettal May 03 '17 at 07:56
1

use this code in your web.config

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>
FelixSFD
  • 6,052
  • 10
  • 43
  • 117
Mahmoud Bayoush
  • 61
  • 5
1

Use -Dweblogic.http.headers.enableHSTS=true JVM system property for Oracle Weblogic Server 12.2.1.4 or more recent versions. Older patch sets/releases with applied October 2019 patch set update also have this functionality backported.

David Lakatos
  • 319
  • 3
  • 7